Static Code Analysis

From OWASP
Revision as of 09:56, 5 January 2012 by Ryan Dewhurst (Talk | contribs)

Jump to: navigation, search
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.


Every Control should follow this template.


This is a control. To view all control, please see the Control Category page.

Last revision (mm/dd/yy): 01/5/2012

Description

Static Code Analysis is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within 'static' (non-running) source code by using techniques such as Control Flow, Data Flow, Information Flow and/or Pattern Matching.

The UK Defense Standard 00-55 requires that Static Code Analysis be used on all 'safety related software in defense equipment'. [0]

Techniques

There are various techniques to analyze static source code for potential vulnerabilities.

Control Flow

TBD

Data Flow

TBD

Information Flow

TBD

Pattern Matching

TBD

Syntax Checks

TBD

Limitations

TBD

Examples

RIPS PHP Static Code Analysis Tool

Rips.jpg

OWASP LAPSE+ Static Code Analysis Tool

LapsePlusScreenshot.png

Tools

Open Source/Free

Commercial

References

[0] Ministry of Defence (MoD). (1997) SAFETY RELATED SOFTWARE IN DEFENSE EQUIPMENT [Online]. Available at: http://www.software-supportability.org/Docs/00-55_Part_2.pdf (Accessed: 5 January 2012).

Further Reading